Over the past week, the cybercriminals behind the recently profiled ‘Citibank Merchant Billing Statement‘ themed campaign, resumed operations, and launched yet another massive spam campaign impersonating Citibank, in an attempt to trick its customers into executing the malicious attachment found in the fake emails.

Once executed, the sample starts listening on port 12674. It then drops the following MD5s on the affected hosts:MD5: 6044cc337b5dbf82f8746251a13f0bb2MD5: d20d915dbdcb0cca634810744b668c70MD5: 758498d6b275e58e3c83494ad6080ac2

Creates the following Registry Keys:HKEY_CURRENT_USER\Software\Microsoft\Evfyfarya

As well as the following Mutexes:Global\{CB561546-E774-D5EA-8F92-61FCBA8C42EE}Local\{744F300D-C23F-6AF3-8F92-61FCBA8C42EE}Global\{5D2DDFD7-2DE5-4391-0508-B06D3016937F}Global\{5D2DDFD7-2DE5-4391-7109-B06D4417937F}Global\{5D2DDFD7-2DE5-4391-490A-B06D7C14937F}Global\{5D2DDFD7-2DE5-4391-610A-B06D5414937F}Global\{5D2DDFD7-2DE5-4391-8D0A-B06DB814937F}Global\{5D2DDFD7-2DE5-4391-990A-B06DAC14937F}Global\{5D2DDFD7-2DE5-4391-350B-B06D0015937F}Global\{5D2DDFD7-2DE5-4391-610B-B06D5415937F}Global\{5D2DDFD7-2DE5-4391-B90B-B06D8C15937F}Global\{5D2DDFD7-2DE5-4391-190C-B06D2C12937F}Global\{5D2DDFD7-2DE5-4391-450C-B06D7012937F}Global\{5D2DDFD7-2DE5-4391-650C-B06D5012937F}Global\{5D2DDFD7-2DE5-4391-B50D-B06D8013937F}Global\{5D2DDFD7-2DE5-4391-290E-B06D1C10937F}Global\{5D2DDFD7-2DE5-4391-650E-B06D5010937F}Global\{5D2DDFD7-2DE5-4391-E508-B06DD016937F}Global\{5D2DDFD7-2DE5-4391-E90B-B06DDC15937F}Global\{5D2DDFD7-2DE5-4391-E90C-B06DDC12937F}Global\{5D2DDFD7-2DE5-4391-A50E-B06D9010937F}Global\{5D2DDFD7-2DE5-4391-1D0E-B06D2810937F}Global\{5D2DDFD7-2DE5-4391-490F-B06D7C11937F}Global\{EEE5022F-F01D-F059-8F92-61FCBA8C42EE}Global\{38E3341C-C62E-265F-8F92-61FCBA8C42EE}Global\{340FE32E-111C-2AB3-8F92-61FCBA8C42EE}Global\{340FE329-111B-2AB3-8F92-61FCBA8C42EE}Local\{55E9553D-A70F-4B55-8F92-61FCBA8C42EE}Local\{55E9553C-A70E-4B55-8F92-61FCBA8C42EE}Global\{5E370004-F236-408B-8F92-61FCBA8C42EE}MidiMapper_modLongMessage_RefCntMidiMapper_ConfigureMPSWabDataAccessMutexMPSWABOlkStoreNotifyMutexMSIdent Logon

It then phones back to the following C&C servers:78.161.154.194:25633186.29.77.250:18647190.37.115.43:29609187.131.8.1:13957181.67.50.91:279168.161.154.194186.29.77.250190.37.115.43187.131.8.1181.67.50.9184.59.222.81211.209.241.213108.215.44.142122.163.41.9699.231.187.23889.122.155.20079.31.232.136142.136.161.10363.85.81.25498.201.143.22110.164.140.144195.169.125.228190.83.222.17396.29.242.234178.251.75.50199.21.164.167180.92.159.2213.43.242.14594.240.224.1152.187.51.145208.101.114.11550.97.98.13441.99.119.243197.187.33.5979.106.11.64178.89.68.255190.62.162.200165.98.119.9494.94.211.18